Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1099
Views
0
Helpful
0
Replies

Multi MFA providers with ASA and ISE

Gavin Lodge
Level 1
Level 1

‎10-07-2019 04:01 AM

Hi 

I currently have the following:

 

An ASA 5515 configured for radius pointing at an external RSA server (radius_group1), this provides MFA for Anyconnect users and has a dedicated group-policy and tunnel group. Users can authenticate using just the RSA passcode and gain access to the network.

 

I then have another radius group configured (radius_group2) for DUO MFA, the ASA has a separate group-policy and tunnel group configured specifically for DUO. The radius_group2 points to ISE in the first instance and then ISE points to the DUO proxy radius server. ISE is configured with a policy for authentication (DUO proxy - this is what initiates the DUO push to the mobiles), then authorisation is configured to check AD group membership and then the DACLs are applied. This part works perfectly.

 

What I need to do is configure the RSA solution in the same way with DACLs per AD group membership. Unfortunately the RSA is not secureID, only external radius. How would I configured the ASA to firstly authenticate the user using the external RSA radius server and then ask ISE for authorisation using a new or the existing policy? The current policy for DUO uses the following conditions - Device:Device type and Radius:NAS-port-type.

 

Thanks in advance

    

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents